How to properly configure ftp for /var/www/

Hello,

I have recently installed dietpi on my raspberry 4. I am a fairly new user to self-hosting, so please bear with me.

I have proftdp for accessing my device and all my web related stuff is in /var/www/… and using apache2 which works fine so far.

Unfortunately, I can not figure out how to properly access my files there via ftp.
The folder and files in /var/www/xyz are owned by www-data:www-data, which means, when I access my device via ftp as the dietpi user, I do not have sufficient rights so create files and folders there, which makes working pretty unpleasing.

How does the “correct” way look like to handle such cases? When I access webspace on paid hosting, the ftp user usually works fine.

I’d be glad about any hint or guide to adjust my setup and make this work.

Kind regards
Andi

Hi,

theoretically you could add user dietpi into group www-data. This way you should be able to adjust files inside /var/www/ if the group has write permission.

Thanks for your answer! :slight_smile:

Does “theoretically” mean that this is not best practice?

How can I make sure that www-data has write permissions? This group should have them I guess, at least creating files and running some CMS works fine.

I will try adding dietpi to www-data. Does this change come in effect immediately or is a reboot required?

simply run following

ls -la /var/www/

It should display the current permission on the web-root folder. I will link some explanation on how permission are working.

https://www.guru99.com/file-permissions.html

Probably following could help on adding user to a group. It should take effect immediately.

Thanks for these links.

I can see, that my cms folder has the permissions drwxr-xr-x which means the group is not allowed to write files and folders.
If I need to change this, may this cause any issues? Security or usability related?

I tried your suggestion and it works as intended.
Unfortunately, the created files and folders do not belong to www-data but to dietpi and hence can not be modified by apache or php :frowning:

Can I solve this, or am I forced to login as www-data (which sounds wrong in my opinion)?

ok I found a better way compare to add user dietpi into group www-data :smiley:

You could create a virtual ftp user having the same permission as user/group www-data. The idea is based on following blog

Simply create a drop-in configuration

nano /etc/proftpd/conf.d/virt_user.conf

and add following

# setup virt user
RequireValidShell off
AuthUserFile /etc/proftpd/ftpd.passwd
#AuthGroupFile /etc/proftpd/ftpd.group
AuthOrder mod_auth_file.c

save the file and add a new user called ftp. Choose a different name if you like.

sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=ftp --uid=33 --gid=33 --home=/var/www --shell=/bin/false

once done, restart the service

systemctl restart proftpd
1 Like

This is indeed a very elegant solution. Thanks for you detailed instructions, I will remember this :slight_smile:

I got it working yesterday with some of your hints:

  • I added dietpi user to www-data group
  • set my cms folder permissions to rwxrwx—
  • add the setgid so all newly created files automatically get the www-data group, which works fine for ftp usage.

I do not know whether this is considered bad practice, but I am the only user and ftp is only accessible from my local network and not from the internet, I think this could be okay.